IT Risk Management Class #7

Questions and Answers

What is the primary focus of ISO 27001 regarding information management?

• Maximizing organizational profits through data analytics
• Ensuring compliance with all state regulations
• Increasing employee productivity with new software
• Protecting confidentiality, integrity, and availability of information (correct)

Which aspect is NOT a part of implementing ISO 27001 in an organization?

• Establishing policies and procedures to prevent breaches
• Identifying and managing security risks
• Setting organizational rules for information security
• Conducting regular financial audits of the organization (correct)

What is the philosophy behind ISO 27001's approach to information security?

• Establishing a data governance framework for all data types
• Developing a culture of transparency and open communication
• Focusing solely on technical safeguards against cyber attacks
• Managing risks through systematic identification and treatment (correct)

What does the acronym C-I-A stand for in the context of ISO 27001?

Confidentiality, Integrity, Availability (D)

Which of the following best describes an Information Security Management System (ISMS) as per ISO 27001?

A structured framework for managing multiple security controls and policies (D)

What is the primary purpose of adopting industry frameworks for information security risk management?

To provide a structured approach based on best practices and past failures. (B)

Which of the following is NOT mentioned as a benefit of using a well-known security framework?

Ensuring all employees are trained in information security. (C)

When selecting an industry framework, organizations should prioritize:

Alignment with the long-term mission of the organization. (D)

Why might a client demand certification in frameworks like ISO 27001?

To ensure the service provider meets industry-standard security measures. (B)

Which of the following frameworks is explicitly mentioned as part of the discussion?

ISO 27001/27002 (C)

Select the statement that best captures why security frameworks are beneficial for communication.

They standardize communication about security risks across different organizations. (A)

Which of these industry-specific frameworks is not included in the framework discussions?

ISO 27002 (A), SOX (Sarbanes-Oxley Act) (B)

What is a potential competitive advantage for organizations adopting a well-known framework?

Differentiating themselves when bidding for contracts with clients. (B)

What is the primary purpose of ISO/IEC 27002?

To establish guidelines for improving information security management (D)

How does ISO/IEC 27001 relate to ISO/IEC 27002?

27001 defines requirements while 27002 offers guidelines (C)

What distinguishes ISO/IEC 27002 from ISO/IEC 27001?

ISO 27002 is a code of practice instead of a certifiable standard (A)

Which of the following statements is true about ISO/IEC 27002 controls?

The controls are designed to address specific issues identified during risk assessments (A)

What is the total number of controls listed in ISO/IEC 27002?

114 controls (C)

In what scenario is ISO/IEC 27002 primarily utilized?

To address risks discovered post-risk assessment (A)

Which aspect of ISO/IEC 27001 is mentioned as a high-level requirement?

Information Security Risk Assessment (D)

What is a defining characteristic of the controls in ISO/IEC 27002?

They must be customized according to each organization's needs (D)

Which of the following ISO standards provides guidelines for implementing risk assessments?

ISO 27001 (D)

What is the main purpose of the CIS Critical Security Controls?

To recommend actions for effective cyber defense (A)

Which of the following is NOT one of the CIS Critical Security Controls?

Data Encryption Standards (C)

ISO 27002 is primarily focused on which aspect of information security?

Implementation of controls and guidelines (A)

Which CIS Control focuses specifically on managing accounts within an organization?

CIS Control 5 (D)

What is the significance of the CIS Controls' 'must-do, do-first' approach?

It highlights essential defensive actions for immediate implementation. (A)

Which of the following CIS Controls is associated with data recovery processes?

CIS Control 11 (B)

Which statement is true regarding the relationship between CIS Controls and other major frameworks?

CIS Controls do not conflict with other major frameworks. (B)

What is the primary benefit of using CIS Critical Security Controls?

They provide quick wins for risk reduction without significant procedural changes. (B)

Which CIS Control is focused on managing audit logs?

CIS Control 8: Audit Log Management (B)

How many major controls are included in CIS Version 8?

18 high-level controls (D)

What does IG1 in CIS Critical Security Controls represent?

Basic level of security requirements. (C)

Which category of organizations implement IG3 controls?

Organizations employing security experts in various fields. (A)

For what types of organizations are the CIS Critical Security Controls applicable?

Organizations at any maturity level and of any size. (B)

What is a key focus of the control list provided by CIS?

Helping organizations prioritize resources on high-value actions. (C)

Which of the following controls focuses on penetration testing?

CIS Control 18: Penetration Testing (A)

Flashcards are hidden until you start studying

Study Notes

Importance of Industry Frameworks in Information Security

• Well-known frameworks are based on industry best practices and lessons learned from past failures.
• They help prevent redundancy in security measures and practices.
• Adopted frameworks facilitate a common language for stakeholders, crucial in contract negotiations and understanding risk management approaches.
• Selecting a framework should align with the organization’s long-term mission for enhanced information security posture.
• Certification in recognized frameworks like ISO 27001 offers potential competitive advantages and fulfills client requirements in contracts.
• Some organizations are required to comply with specific regulations like PCI and HIPAA, which are not covered by general frameworks.

ISO/IEC 27001

• An international standard focusing on managing information security risks and protecting confidentiality, integrity, and availability of information.
• Applicable to any organization, regardless of size or type, whether profit, non-profit, or government.
• Emphasizes systematic risk management and the formulation of policies and procedures to prevent security breaches.
• Implementation primarily involves establishing organizational rules to manage security controls effectively within an Information Security Management System (ISMS).

ISO/IEC 27002

• Provides guidelines and practices for improving information security but is not certifiable.
• Contains 114 controls covering multiple domains, addressing risks identified during risk assessments.
• Primarily complements ISO 27001 by offering detailed control mechanisms intended for organizations seeking certification or improving security processes.

Relationship Between ISO 27001 and 27002

• ISO 27001 specifies requirements for Information Security Management Systems, whereas ISO 27002 provides practical guidelines and best practices.
• ISO 27001 incorporates a high-level requirement for risk assessment, while ISO 27002 details various methodologies for conducting these assessments.
• Both standards are designed to be used together for comprehensive information security management.

CIS Critical Security Controls

• A recommended set of actions for effective cyber defense against pervasive attacks.
• Comprises high-priority controls that serve as critical starting points for organizations seeking to enhance cybersecurity.
• Can be aligned with other major frameworks like ISO 27001/2 and NIST CSF, reinforcing a unified approach to security management.

Benefits of CIS Critical Security Controls

• Suitable for all organizations and their varying operational contexts, regardless of size and maturity in security management.
• Focuses on efficient resource allocation by prioritizing immediate, high-value risk reduction measures.
• Latest version, CIS Version 8, includes 18 high-level controls classified into three maturity categories: IG1 (basic), IG2 (intermediate), IG3 (advanced).
• Organizations select controls from these categories based on their capabilities and security management level, addressing unique risk issues effectively.